search

MAECProject / schemas

MAEC Schemas and Schema Development
84 stars 16 forks source link

artifact_example.json is invalid #143

Closed chisholm closed 4 years ago

chisholm commented 4 years ago

An artifact SCO had a payload_bin property which had a CDATA snippet; it is supposed to be base64 encoded binary. The snip had what looked like hex-encoded binary, so I just extracted that part, and recoded it as base64.

This example is still invalid due to the invalid network-traffic SCO. It needs one of src_ref/dst_ref, and a protocols property. There's nothing in the example we might use to infer one; I think all we could do is make something up. What shall we do with this?

ikiril01 commented 4 years ago

@chisholm let's just add some arbitrary TCP traffic to make the example valid:

{
  "type": "ipv4-addr",
  "spec_version": "2.1",
  "id": "ipv4-addr--4d22aae0-2bf9-5427-8819-e4f6abf20a53",
  "value": "198.51.100.5"
}

{
  "type": "ipv4-addr",
  "spec_version": "2.1",
  "id": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd",
  "value": "198.51.100.9"
}

{
  "id": "network-traffic--2568d22a-8998-58eb-99ec-3c8ca74f527d",
  "src_ref": "ipv4-addr--4d22aae0-2bf9-5427-8819-e4f6abf20a53",
  "dst_ref": "ipv4-addr--ff26c055-6336-5bc5-b98d-13d6226742dd",
  "protocols": [
    "tcp"
  ]
}
chisholm commented 4 years ago

Done. The example translates now.